Overview

overview

10

Static

static

10

gang.rar

windows10-ltsc 2021-x64

10

Builder.exe

windows10-ltsc 2021-x64

10

���w.pyc

windows10-ltsc 2021-x64

READme.txt

windows10-ltsc 2021-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    gang.rar

  • Size

    7.5MB

  • Sample

    250208-xx2z5s1kal

  • MD5

    528a918c0a4665248468d245ffe91c9a

  • SHA1

    e4e001e749f4c9c7ee99f94741c509d50541184d

  • SHA256

    195ac00a0a4278fffad8f754ca723058481f97488303436ba35a739d47d3b8b0

  • SHA512

    b92e643569e88458419e7b55b29e129b03d88722a99fc05a1491f3ce4c6099c829a0c482df5dd08f5122f48fd9a212c32e0fb5a00d2206fa8abc0d064f7ea7f7

  • SSDEEP

    196608:W9eVgZAuNpvcIhi9GOUt43Ra5LwUpgXOH2c:W9UQpv4UtmRa5MV+Wc

Score
10/10
blankgrabberadwaredefense_evasiondiscoveryexecutionpersistenceprivilege_escalationstealerupx

Malware Config

Targets

    • Target

      gang.rar

    • Size

      7.5MB

    • MD5

      528a918c0a4665248468d245ffe91c9a

    • SHA1

      e4e001e749f4c9c7ee99f94741c509d50541184d

    • SHA256

      195ac00a0a4278fffad8f754ca723058481f97488303436ba35a739d47d3b8b0

    • SHA512

      b92e643569e88458419e7b55b29e129b03d88722a99fc05a1491f3ce4c6099c829a0c482df5dd08f5122f48fd9a212c32e0fb5a00d2206fa8abc0d064f7ea7f7

    • SSDEEP

      196608:W9eVgZAuNpvcIhi9GOUt43Ra5LwUpgXOH2c:W9UQpv4UtmRa5MV+Wc

    Score
    10/10
    defense_evasiondiscoveryexecutionupx

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

      defense_evasion

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1

    • Target

      Builder.bat

    • Size

      7.6MB

    • MD5

      37da96d2c3bf1fd9143144f9ae793484

    • SHA1

      b152d144ad97fd5f71915334f5d5649ce7ebc1c5

    • SHA256

      7b245e785c43e5b8087809d359255ed2eb02205357808a1e3a82f9fcc27df1c8

    • SHA512

      fb4985ff27ae5dca480877046b4cdb15f40369f29356d7a4cb5cabed74df035f66850c552a8a5cc354d6f47fb8f24daa8779f9ae7b08b618da6f925a8cef637a

    • SSDEEP

      196608:CZD+kdbdwfI9jUCBB7m+mKOY7rXrZusooDmhfvsbnTNWm:i5wIHL7HmBYXrYoaUN5

    Score
    10/10
    defense_evasiondiscoveryexecutionupx

    • Deletes Windows Defender Definitions

      Uses mpcmdrun utility to delete all AV definitions.

      defense_evasion

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral2

    • Target

      ���w.pyc

    • Size

      1KB

    • MD5

      9c9bba50af8c3ca9537752bdf3209c5e

    • SHA1

      6990656d0e998599848fc4b0acf31a27ae5a12d6

    • SHA256

      8be1105124ae6f6db5866aaf85e1f04d3f760327d15b187a2db44c8de0c96d18

    • SHA512

      f7becaeae2951e1d91d0607edfed14e23596d1c825d5cf37ac454928eda150cf87fcc35b92649adcfd38cfc043bc76b435002b8e04c2adc8a778c1f39cf9dc46

    Score
    1/10
    behavioral3

    • Target

      READme.txt

    • Size

      170B

    • MD5

      10a5016f49ef1acacd6998ace35d85e6

    • SHA1

      49eb4d70a5aea7f79c6e545d87b4863bfa350503

    • SHA256

      b30d3a21941310b108baf1dddfc8b363a81a033025ef045d267142eb9f9e78af

    • SHA512

      20ba3c146ef15afb526a4bd7842f4cafb0042e2258022fd3deaa8150656d10c45714bdc8c1e48434781841bae3a9f5bd4fbe081c2dfbdd14a22f36bb0b3048f6

    Score
    8/10
    adwarediscoverypersistenceprivilege_escalationstealer

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Installs/modifies Browser Helper Object

      BHOs are DLL modules which act as plugins for Internet Explorer.

      stealeradware

    • Drops file in System32 directory

    behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

4
T1112

Credential Access

Discovery

Process Discovery

1
T1057

Query Registry

3
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks